Re: firewall is very slow, something's wrong

2007-10-10 Thread Scott Wells 

And is it in a vacuum?

Peter N. M. Hansteen wrote:

Henning Brauer <[EMAIL PROTECTED]> writes:

  

so you think a 20 ton truck is twice as fast as a 10 ton truck?



horizontal or vertical motion? assuming a perfectly spherical truck?

Re: OpenBSD firewalls as virtual machine ?

2007-09-21 Thread Scott Wells 
It sounds to me like the comments here are largely appropriate, 
virtualizing firewalls in the limited context that has been explained 
probably isn't a real good idea...at least due to perceived load.  
Additionally, if there are that many fireuwalls being ran, instead of 
numerous interfaces in a fewer number of machines, you're going to 
continue to have problems being able to virtualize enough hardware 
network interfaces.


However, I don't fully agree with the sentiment that running a firewall 
in a virtual machine (let's be specific, VMWare ESX) guest environment.  
I'm running my firewall on a ESX 3.0.2 guest, and it works perfectly 
fine.  That being said, you have to be aware of the VM configuraton.  
The majority of vulnerabilities in VMWare are patchable (so yes, someone 
needs to do maintenance), but are also issues that affect the VMKernel 
or service console, and with careful planning, the vulnerabilities can 
largely be prevented for being used as exploits on external interfaces.


And one final note...although I am a fan of virtualization (I work for 
the company that owns VMWare), I really, really wish they did not have 
so many freaking patches...


Kent Watsen wrote:
Some commercial firewalls (i.e. Juniper/NetScreen ScreenOS-based gear) 
have been offering virtual-systems for years now.  I think the 
negative comments received here may be appropriate when sharing the 
system with non-secure guest OSs, but it seems that it might be 
alright if its nothing but firewalls


Cheers,
Kent


Josh wrote:

Hello there.

We have a bunch of obsd firewalls, 8 at the moment, all working nice 
and so forth. But we
need to add about another 4 in there for new connections and 
networks, which means more

machines to find room for.

So basically I have been asked to investigate running all these 
firewalls in two big boxes, with lots
of NIC's, with a bunch of openbsd vritual machines on them. One main 
box for the primary firewalls,
one for the secondary. Each virtual machine getting its own physical 
NIC.


Personally I dont really like the idea, I can see things going wrong, 
lots of stuff balancing on a

guest os and box.

Can someone please inform me if this is a really bad idea or not, 
ideally with some nice reasoning?



Cheers,
   Josh

Re: vmware & cvs

2007-09-03 Thread Scott Wells 
The problem is not VMWare...it's your setup.  I have 8 guests running 
3.8 - 4.1 running on ESX 3.0.1, all of them can grab stuff from CVS 
without an issue.  Unless you fix the problem, you'll experience the 
same results running VirtualBox guests.


GC!bri MC!tC) wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Thank You for all your help, but i didn't have time to try it out. And
today VirtualBox 1.5.0 came out which supports OpenBSD 4.x, so i'll use
that one instead of VmWare.

Gabri Mate
[EMAIL PROTECTED]
DUOSOL Bt.
http://www.duosol.hu


GC!bri MC!tC) C-rta:
iD8DBQFG3BDP8najRxwF9nkRArivAJ0dUTr7oO45/b6Qrd4xRYrDhwDt2QCggaS4
CAlY1STBqw39amkfb5PtAIY=
=e8N4
-END PGP SIGNATURE-